CN-122027155-A - Method and system for updating root key by switching communication network by equipment terminal

Abstract

The invention discloses a method and a system for updating a root key by switching a communication network by a device terminal, wherein the method comprises the steps that a root key generation and storage device presets and stores an initial root key ciphertext in a quantum security device terminal; when the quantum security equipment terminal is changed to access the communication network, namely to access the second communication network, identity authentication is needed, and an updating operation is performed on an initial root key so as to obtain the root key which can be used in the second communication network. Based on the preset root key ciphertext, when the terminal logs out from one communication network and accesses another independent communication network, the invention updates the original root key, so that the terminal can complete network switching and subsequent encrypted communication on the premise of not returning to a factory, and the flexibility and usability of the device are greatly improved.

Inventors

• ZHU MENGYA
• ZHANG CHAO

Assignees

• 矩阵时光数字科技有限公司

Dates

Publication Date

20260512

Application Date

20260413

Claims (8)

1. 1. A method for a device terminal to switch communication networks for root key update, the method comprising the steps of: (1) The root key generation and storage device generates an initial root key FILE0 and a root key encryption key0 for the quantum security device terminal, encrypts the initial root key FILE0 by using the root key encryption key0 to obtain an initial root key ciphertext FILE0, and presets the initial root key ciphertext FILE0 to be stored in the quantum security device terminal; (2) When the quantum security equipment terminal is accessed to a communication network for the first time, namely, the quantum security equipment terminal is accessed to the first communication network, root key authentication is carried out with first network communication equipment in the first communication network, and after the authentication is passed, the quantum security equipment terminal and the first network communication equipment carry out encryption communication by using a key in an initial root key file 0; (3) When a quantum security device terminal is changed to be accessed to a communication network, namely to be accessed to a second communication network, the quantum security device terminal initiates identity authentication to a second root key operator in the second communication network through second network communication equipment in the second communication network, and after the identity authentication is passed, the second root key operator requests a root key generation and storage device for information of a first root key operator in a first communication network where a first update key-up1 and an initial root key file0 corresponding to the quantum security device terminal are located; (4) The second root key operator receives and establishes connection with the first root key operator according to the information of the first root key operator, acquires an initial root key file0 from the first root key operator, and uses a first update key-up1 to execute update operation on the initial root key file0 to obtain a first update root key file1; (5) The quantum security device terminal also executes the updating operation to obtain a second updating root key file1', carries out consistency comparison on the local second updating root key file1' and the first updating root key file1 in the second network communication device, and carries out encryption communication based on the key in the second updating root key file1' if the comparison is successful.
2. 2. The method for updating root key of device terminal switching communication network as in claim 1, wherein the root key generating and storing device is provided with an association relation corresponding table, and the association relation corresponding table is used for associating and storing device identity ID of the quantum security device terminal, initial root key file0 and corresponding root key encryption key0 in the table.
3. 3. The method for root key update in a device terminal handover communication network according to claim 2, wherein the specific process of step (2) is as follows: 1) When a quantum security device terminal is accessed to a first communication network, the quantum security device terminal generates a hash function to perform hash calculation on an initial root key ciphertext FILE0 to obtain a first hash value H1, and then initiates a root key authentication request to first network communication equipment, wherein the root key authentication request comprises a device identity ID of the quantum security device terminal, the first hash value H1, a character string str1 formed by each coefficient except the highest term and corresponding to an irreducible polynomial P1 used for generating the hash function, and an input random number S; 2) The first network communication equipment sends a root key authentication request to root key generation and storage equipment through a first root key operator, the root key generation and storage equipment firstly searches an associated initial root key file0 and a corresponding root key encryption key0 through equipment identity IDs of quantum security equipment terminals, then generates an irreducible polynomial p1 with a highest term coefficient of 1 based on coefficients of each bit corresponding polynomial of a character string str1 except the highest term, generates a hash function H p1,s1 through the irreducible polynomial p1 and an input random number s1, calculates a hash value of ciphertext obtained by encrypting the initial root key file0 through the hash function H p1,s1 , compares whether the second hash value H2 is consistent with the first hash value H1, if so, the root key generation and storage equipment sends the initial root key file0 and the corresponding root key encryption key y0 which are locally stored to the first root key operator, and sends the initial root key file0 and the corresponding root key encryption key to the quantum security equipment under the key ID of the quantum security equipment terminal to be deleted; 3) After the first root key operator passes the root key authentication request, the root key encryption key0 is forwarded to the quantum security device terminal through the first network communication device, the quantum security device terminal decrypts the local initial root key ciphertext FILE0 by using the root key encryption key0 to obtain an initial root key FILE0, the first root key operator also sends the initial root key FILE0 to the first network communication device, and the first network communication device performs encrypted communication with the quantum security device terminal by using a key in the initial root key FILE0 after receiving the initial root key FILE 0.
4. 4. A method for performing root key update in a device terminal switching communication network according to claim 3, wherein the specific process of the second root key operator requesting the first update key-up1 corresponding to the quantum security device terminal from the root key generating and storing device is: a1, a second root key operator generates a root key obtaining request carrying the identity ID of the quantum security equipment terminal equipment, and sends the request to root key generating and storing equipment; A2, the root key generating and storing device takes the identity ID of the quantum security device terminal device as an index, inquires that the storage information corresponding to the identity ID is 'the device identity ID of the quantum security device terminal-the root key is issued to a root key operator', and generates a first update key-up1 based on the condition that the initial root key file0 does not exist locally; And A3, the root key generation and storage equipment sends the first root key operator information where the first updated key up1 and the initial root key file0 are located to the second root key operator.
5. 5. The method for performing root key update in a device terminal handover communication network according to claim 1, wherein the performing update operation means: and then, sequentially performing exclusive-or operation on the first to N segments by using the first update key up1, and then splicing the first to N segments after the exclusive-or operation to obtain the first update root key file1.
6. 6. The method for performing root key update in a device terminal handover communication network according to claim 1, wherein the performing update operation means: intercepting any plurality of fragments with the length equal to that of the first updated key-up1 from the initial root key file0, marking the fragments as first to M fragments, and recording the position information of the intercepted fragments in the initial root key file 0; and then, performing exclusive-or operation on the first update key-up1 and the intercepted first to Mth fragments in sequence, and correspondingly replacing the positions of the originally intercepted fragments by the first to Mth fragments after exclusive-or, thereby finally obtaining a first update root key file1.
7. 7. The method for performing root key update in a device-terminal switched communication network according to claim 1, wherein the specific process of performing consistency comparison between the local second updated root key file1' and the first updated root key file1 in the second network communication device is as follows: The quantum security equipment terminal generates an irreducible polynomial p2 locally, records a character string formed by each coefficient except the highest term in the irreducible polynomial p2 as str2, acquires an input random number s2 from a second updating root key file1', records index-s2 of the random number s2, generates a hash function H p2,s2 based on the irreducible polynomial p2 and the input random number s2, and calculates a hash value of the second updating root key file1' by using the hash function H p2,s2 to obtain a third hash value H3; The quantum security equipment terminal acquires a first encryption key k1 and a key index idx1 of the first encryption key k1 from a second updating root key file1', encrypts a third hash value H3, a character string str2 and an index-s2 by using the first encryption key k1 to obtain a ciphertext M, and sends the ciphertext M and the key index idx1 to second network communication equipment; the second network communication equipment determines a first decryption key k1' from the first updated root key file1 according to the key index idx1, decrypts the ciphertext M by using the first decryption key k1' to obtain a third hash value H3', a character string str2' and an index-s2', and obtains an input random number s2' from the first updated root key file1 according to the index-s 2'; Then, a hash function H ' p2,s2 is utilized to calculate a fourth hash value H4 of the local hash value of the first updated root key file1, the third hash value H3' obtained by decryption is compared with the fourth hash value H4, and if the third hash value H3' is consistent with the fourth hash value H4, the next step is carried out; and B4, responding to successful comparison, sending feedback information of successful comparison to the quantum security equipment terminal by the second network communication equipment, and carrying out encrypted communication with the second network communication equipment by the quantum security equipment terminal based on a key in the local second update root key file 1'.
8. 8. A system for a method for root key update based on the device terminal switching communication network according to any one of claims 1 to 7, characterized in that the system comprises a root key generation and storage device, a first root key operator, a second root key operator, a first network communication device, a second network communication device and a quantum security device terminal, wherein the first root key operator and the first network communication device are located in the first communication network and the first root key operator is connected with the first network communication device and the root key generation and storage device respectively; the root key generation and storage device is used for generating an initial root key FILE0 and a root key encryption key0 for the quantum security device terminal, encrypting the initial root key FILE0 by using the root key encryption key0 to obtain an initial root key ciphertext FILE0, and presetting and storing the initial root key ciphertext FILE0 in the quantum security device terminal; The first root key operator is used for sending an initial root key file0 to the first network communication equipment and the second root key operator; The first network communication device is used for carrying out root key authentication with the quantum security device terminal, and after the authentication is passed, carrying out encryption communication with the quantum security device terminal by using a key in the initial root key file 0; The second root key operator is used for carrying out identity authentication on the quantum security equipment terminal, after the identity authentication is passed, the second root key operator requests first root key operator information of a first update key-up1 and an initial root key file0 corresponding to the quantum security equipment terminal from the root key generation and storage equipment, and establishes connection with the first root key operator information to obtain the initial root key file0; The second network communication device is used for carrying out consistency comparison of the first updated root key file1 with the quantum security device terminal; The quantum security equipment terminal performs root key authentication when connected with the first network communication equipment, performs encryption communication with the first network communication equipment by using a key in an initial root key file0 after the authentication is passed, initiates identity authentication to a second root key operator through the second network communication equipment when connected with the second network communication equipment, performs consistency comparison of a second updated root key file1 'with the second network communication equipment, and performs encryption communication with the second network communication equipment based on the key in the second updated root key file1' after the comparison is successful.

Description

Method and system for updating root key by switching communication network by equipment terminal Technical Field The invention relates to the technical field of keys, in particular to a method and a system for updating a root key by switching a communication network by a device terminal. Background With the rapid development of quantum technology, the traditional encryption system faces a potential threat, and the quantum security communication technology is generated. Quantum security device terminals as an important carrier for implementing quantum key distribution or quantum key management typically rely on preset root keys to complete authentication and encrypted communications with the affiliated communication network. In practical application, the quantum security equipment terminal performs authentication and other operations with the network when being accessed into the communication network for the first time, and finally realizes the activation of the root key, thereby forming a set of closed and controllable security trust system. However, the prior art scheme has a significant limitation in that the root key and related parameters of the quantum security device terminal are already generated and cured at the time of shipment. When the communication network is connected for the first time, the root key and related parameters in the quantum security device terminal are activated and used. When a quantum security device terminal needs to log off from one communication network (e.g., a first communication network) and access another independent communication network (e.g., a second communication network) due to traffic adjustment, the existing mechanism cannot support smooth transfer of its security identity. Since different communication networks typically have key management and authentication systems that are independent of each other and not trusted, a root key preset in the original terminal that is bound to the first communication network is considered invalid or unsafe in the second communication network. Thus, to ensure that the security boundaries of the new communication network are not broken and to prevent potential identity impersonation or key leakage risks, the only current solution is to require the terminal device to physically "go back to the factory", i.e. re-injection of the root key. The mode of changing the network and needing to return to the factory brings various outstanding problems that (1) the operation cost is high, the round trip logistics of equipment and the like are involved, the time delay and the economic burden are obviously increased, (2) the risks of safety and disclosure exist, the frequent factory return resetting process itself increases the potential threat of exposing key materials in the transmission and disposal links, and (3) the key is wasted, the root key which is in encrypted communication with the logged-off communication network is invalid and can only be discarded, so that the great waste is caused. Therefore, an innovative technical scheme is urgently needed, and the safe, online and non-factory return root key resetting of the quantum safety equipment terminal between different communication networks can be realized on the premise of guaranteeing the quantum level safety, so that the usability of the equipment is improved, the operation and maintenance cost is reduced, and the interconnection and intercommunication of quantum safety are promoted. Disclosure of Invention The invention aims to provide a method and a system for updating a root key by switching a communication network by a device terminal, which solve the problems of high operation cost, key waste and the like caused by the existing mode of changing the network and returning to a factory. The quantum security equipment terminal can have corresponding root keys in all communication networks to be used under the condition of not returning to factories to reset the root keys, and the root keys used in each communication network are different from the multiplexed initial root key, so that the security of encrypted communication is further ensured, and the risk of being attacked is reduced. The method for updating the root key by switching the communication network by the equipment terminal comprises the following steps: (1) The root key generation and storage device generates an initial root key FILE0 and a root key encryption key0 for the quantum security device terminal, encrypts the initial root key FILE0 by using the root key encryption key0 to obtain an initial root key ciphertext FILE0, and presets the initial root key ciphertext FILE0 to be stored in the quantum security device terminal; (2) When the quantum security equipment terminal is accessed to a communication network for the first time, namely, the quantum security equipment terminal is accessed to the first communication network, root key authentication is carried out with first network communication equipment in the first